# emerge --sync
- # emerge --ask --oneshot --verbose ">=squashfs-tools-4.3"
+ # emerge --ask --oneshot --verbose ">=sys-fs/squashfs-tools-4.3"
Free and open source webmail software for the masses, written in PHP.
+Roundcube, when no SMTP server is configured and the sendmail program is + enabled, does not properly restrict the use of custom envelope-from + addresses on the sendmail command line. +
+An authenticated remote attacker could possibly execute arbitrary code + with the privileges of the process, or cause a Denial of Service + condition. +
+Don’t use a MTA (Mail Transfer Agent) in conjunction with Roundcube + which implements sendmail’s “-O” or “-X” parameter, or + configure Roundcube to use a SMTP server as recommended by upstream. +
+All Roundcube users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=mail-client/roundcube-1.2.3"
+
+ Tor is an implementation of second generation Onion Routing, a + connection-oriented anonymizing communication service. +
+Multiple vulnerabilities have been discovered in Tor. Please review the + CVE identifier and change log referenced below for details. +
+A remote attacker could possibly cause a Denial of Service condition.
+There is no known workaround at this time.
+All Tor users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=net-misc/tor-0.2.8.9"
+
+ Xerces-C++ is a validating XML parser written in a portable subset of + C++. +
+Multiple vulnerabilities have been discovered in Xerces-C++. Please + review the CVE identifiers referenced below for details. +
+A remote attacker could entice a user to process a specially crafted + file, possibly resulting in the remote execution of arbitrary code with + the privileges of the process, or a Denial of Service condition. +
+There is no known workaround at this time.
+All Xerces-C++ users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-libs/xerces-c-3.1.4-r1"
+
+ Samba is a suite of SMB and CIFS client/server programs.
+Multiple vulnerabilities have been discovered in samba. Please review + the CVE identifiers referenced below for details. +
+A remote attacker could possibly execute arbitrary code with root + privileges, cause a Denial of Service condition, conduct a + man-in-the-middle attack, obtain sensitive information, or bypass file + permissions. +
+There is no known workaround at this time.
+All Samba users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=net-fs/samba-4.2.11"
+
+ A SUID program that reduces the risk of security breaches by restricting + the running environment of untrusted applications using Linux namespaces + and seccomp-bpf. +
+Multiple vulnerabilities have been discovered in Firejail. Please review + upstream’s release notes below for details. +
+A remote attacker could possibly bypass sandbox protection, cause a + Denial of Service condition, or change a system’s DNS server. +
+There is no known workaround at this time.
+All Firejail users should switch to the newly added LTS version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=sys-apps/firejail-lts-0.9.38.6"
+
+
+ Users who want to stay on the current branch should upgrade to the + latest version: +
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=sys-apps/firejail-0.9.44.2"
+
+ mod_wsgi is an Apache2 module for running Python WSGI applications.
+mod_wsgi, when creating a daemon process group, does not properly handle + dropping group privileges. +
+Context-dependent attackers could escalate privileges due to the + improper handling of group privileges. +
+There is no known workaround at this time.
+All mod_wsgi users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=www-apache/mod_wsgi-4.3.0"
+
+
+ Openfire (formerly Wildfire) is a cross-platform real-time collaboration + server based on the XMPP (Jabber) protocol. +
+Multiple vulnerabilities have been discovered in Openfire. Please review + the CVE identifiers referenced below for details. +
+A remote attacker could bypass the CSRF protection mechanism, conduct + Cross-Site Scripting attacks, or an authenticated remote attacker could + gain privileges while accessing Openfire’s web interface. +
+There is no known workaround at this time.
+All Openfire users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=net-im/openfire-4.1.0"
+
+
+ Icinga is an open source computer system and network monitoring + application. It was originally created as a fork of the Nagios system + monitoring application in 2009. +
+Icinga daemon was found to perform unsafe operations when handling the + log file. +
+A local attacker, who either is already Icinga’s system user or + belongs to Icinga’s group, could potentially escalate privileges. +
+There is no known workaround at this time.
+All Icinga users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=net-analyzer/icinga-1.13.4"
+
+ The friendly PIL fork.
+Multiple vulnerabilities have been discovered in Pillow. Please review + the CVE identifiers referenced below for details. +
+A local attacker could perform symlink attacks to overwrite arbitrary + files with the privileges of the user running the application, or obtain + sensitive information. +
+ +A remote attackers could execute arbitrary code with the privileges of + the process, or cause a Denial of Service condition. +
+There is no known workaround at this time.
+All Pillow users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-python/pillow-3.4.2"
+
+ CyaSSL is a small, fast, portable implementation of TLS/SSL for embedded + devices to the cloud. +
+Multiple vulnerabilities have been discovered in CyaSSL. Please review + the CVE identifiers referenced below for details. +
+An attacker could possibly execute arbitrary code with the privileges of + the process, cause a Denial of Service condition, or conduct a + man-in-the-middle attack. +
+There is no known workaround at this time.
+Upstream has discontinued the software in favor of wolfSSL. Therefore, + the CyaSSL package has been removed from the Gentoo repository and + current users are advised to unmerge the package. +
+ +
+ # emerge --unmerge "net-libs/cyassl"
+
+ Chicken is a scheme interpreter and native scheme to C compiler.
+Multiple vulnerabilities have been discovered in Chicken. Please review + the CVE identifiers referenced below for details. +
+A remote attacker could possibly execute arbitrary code with the + privileges of the process, or cause a Denial of Service condition. +
+There is no known workaround at this time.
+All Chicken users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-scheme/chicken-4.10.0-r1"
+
+ libjpeg-turbo is a JPEG image codec that uses SIMD instructions (MMX, + SSE2, NEON, AltiVec) to accelerate baseline JPEG compression and + decompression. +
+The accelerated Huffman decoder was previously invoked if there were 128 + bytes in the input buffer. However, it is possible to construct a JPEG + image with Huffman blocks > 430 bytes in length. This release simply + increases the minimum buffer size for the accelerated Huffman decoder to + 512 bytes, which should accommodate any possible input. +
+A remote attacker could coerce the victim to run a specially crafted + image file resulting in the execution of arbitrary code. +
+There is no known workaround at this time.
+All libjpeg-turbo users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=media-libs/libjpeg-turbo-1.5.0"
+
+ Xen is a bare-metal hypervisor.
+Multiple vulnerabilities have been discovered in Xen. Please review the + CVE identifiers referenced below for details. +
+A local attacker could possibly execute arbitrary code with the + privileges of the process, could gain privileges on the host system, + cause a Denial of Service condition, or obtain sensitive information. +
+There is no known workaround at this time.
+All Xen users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=app-emulation/xen-4.7.1-r4"
+
+
+ All Xen Tools users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose
+ ">=app-emulation/xen-tools-4.7.1-r4"
+
+
+ All Xen PvGrub users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose
+ ">=app-emulation/xen-pvgrub-4.7.1-r1"
+
+ MySQL is a popular multi-threaded, multi-user SQL server. MariaDB is an + enhanced, drop-in replacement for MySQL. +
+Multiple vulnerabilities have been discovered in MariaDB and MySQL. + Please review the CVE identifiers referenced below for details. +
+Attackers could execute arbitrary code, escalate privileges, and impact + availability via unspecified vectors. +
+There is no known workaround at this time.
+All MariaDB users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-db/mariadb-10.0.28"
+
+
+ All MySQL users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-db/mysql-5.6.34"
+
+ Bash is the standard GNU Bourne Again SHell.
+Multiple vulnerabilities have been discovered in Bash. Please review the + CVE identifiers referenced below for details. +
+A local attacker could possibly execute arbitrary code with the + privileges of the process, or cause a Denial of Service condition. +
+There is no known workaround at this time.
+All Bash users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=app-shells/bash-4.3_p48-r1"
+
+ libarchive is a library for manipulating different streaming archive + formats, including certain tar variants, several cpio formats, and both + BSD and GNU ar variants. +
+Multiple vulnerabilities have been discovered in libarchive. Please + review the CVE identifiers referenced below for details. +
+A remote attacker could entice a user to open a specially crafted + archive file possibly resulting in the execution of arbitrary code with + the privileges of the process or a Denial of Service condition. +
+ +There is no known workaround at this time.
+All libarchive users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=app-arch/libarchive-3.2.2"
+
+ Mutt is a small but very powerful text-based mail client.
+A heap-based buffer overflow was discovered in Mutt’s mutt_substrdup + function. +
+A remote attacker could cause a Denial of Service condition.
+There is no known workaround at this time.
+All Mutt users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=mail-client/mutt-1.5.23-r5"
+
+ BusyBox is a set of tools for embedded systems and is a replacement for + GNU Coreutils. +
+The recv_and_process_client_pkt function in networking/ntpd.c in BusyBox + allows remote attackers to cause a Denial of Service (CPU and bandwidth + consumption) via a forged NTP packet, which triggers a communication + loop. +
+A remote attacker might send a specially crafted package to a machine + running BusyBox ntpd, possibly resulting in a Denial of Service + condition. +
+There is no known workaround at this time.
+All BusyBox users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=sys-apps/busybox-1.25.1"
+
+ e2fsprogs is a set of utilities for maintaining the ext2, ext3 and ext4 + file systems. +
+A heap-based buffer overflow was discovered in openfs.c in the libext2fs + library in e2fsprogs. +
+A remote attacker could entice a user to use ext2fs library (for + example, fsck) on a specially crafted Ext2/3/4 file system possibly + resulting in the execution of arbitrary code with the privileges of the + process or a Denial of Service condition. +
+There is no known workaround at this time.
+All e2fsprogs users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=sys-fs/e2fsprogs-1.42.12"
+
+ Open vSwitch is a production quality multilayer virtual switch.
+A buffer overflow was discovered in lib/flow.c in ovs-vswitchd.
+A remote attacker, using a specially crafted MPLS packet, could execute + arbitrary code. +
+There is no known workaround at this time.
+All Open vSwitch users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=net-misc/openvswitch-2.5.0"
+
+ w3m is a text based WWW browser.
+Multiple vulnerabilities have been discovered in w3m. Please review the + CVE identifiers referenced below for details. +
+A remote attacker could execute arbitrary code with the privileges of + the process or cause a Denial of Service condition via a maliciously + crafted HTML file. +
+There is no known workaround at this time.
+All w3m users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=www-client/w3m-0.5.3-r9"
+
+ Xdg-Utils is a set of tools allowing all applications to easily + integrate with the Free Desktop configuration. +
+An eval injection vulnerability was discovered in Xdg-Utils.
+A context-dependent attacker could execute arbitrary code via the URL + argument to xdg-open. +
+There is no known workaround at this time.
+All Xdg-Utils users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=x11-misc/xdg-utils-1.1.1"
+
+ Pidgin Off-the-Record (OTR) messaging allows you to have private + conversations over instant messaging. libotr is a portable off-the-record + messaging library. +
+Multiple vulnerabilities exist in both libotr and Pidgin OTR. Please + review the CVE identifiers for more information. +
+A remote attacker could send a specially crafted message, possibly + resulting in the execution of arbitrary code with the privileges of the + process, or cause a Denial of Service condition. +
+There is no known workaround at this time.
+All libotr users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=net-libs/libotr-4.1.1"
+
+
+ All Pidgin OTR users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=x11-plugins/pidgin-otr-4.0.2"
+
+ musl is a “libc”, an implementation of the standard library + functionality described in the ISO C and POSIX standards, plus common + extensions, intended for use on Linux-based systems. +
+A vulnerability was discovered in musl’s tre_tnfa_run_parallel + function buffer overflow logic, due to the incorrect use of integer types + and missing overflow checks. +
+An attacker, who controls the regular expression and/or string being + searched, could execute arbitrary code with the privileges of the + process. +
+There is no known workaround at this time.
+All musl users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=sys-libs/musl-1.1.15-r2"
+
+ memcached is a high-performance, distributed memory object caching + system +
+Multiple integer overflow vulnerabilities were discovered in memcached. + Please review the CVE identifiers and Cisco TALOS reports referenced + below for details. +
+A remote attacker could abuse memcached’s binary protocol leading to + the remote execution of arbitrary code. +
+There is no known workaround at this time.
+All memcached users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=net-misc/memcached-1.4.33"
+
+ HDF5 technology suite includes a data model, library, and file format + for storing and managing data. +
+Multiple arbitrary code execution vulnerabilities have been discovered + in HDF5. Please review the CVE identifiers referenced below for details. +
+An attacker could execute arbitrary code with the privileges of the + process via a maliciously crafted database file. +
+There is no known workaround at this time.
+All HDF5 users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=sci-libs/hdf5-1.8.18"
+
+